nanog mailing list archives

RE: Requirements for IPv6 Firewalls

From: Dustin Jurman <dustin () rseng net>
Date: Thu, 17 Apr 2014 18:04:56 +0000

Always interesting responding to a NANOG thread.  

- the approach is from an end user than service provider. The firewall operator would be more interested in identifying 
PPS for attacks / compromised hosts VS QOS but I supposed it could be used for QOS as well.  (Not my intent) So today 
we have NAT'd firewalls that overload a particular interface, IMHO since properly implemented V6 should not use NAT I 
would want my FW vendor to allow me to see what's going on PPS wise via the dashboard function.  Most V4 firewalls do 
this today at an interface level. 

- Average packet size for all hosts would allow operator to make a determination and set thresholds for new forms of 
attacks and exploits.  (Thinking forward once applications take advantage of V6)  

- MTU Negotiated Between Hosts - Since this happens between endpoints in v6 this could be help identify tunnels in the 
network / changes in WAN topology..  Not like we haven't seen that before.  While a change in flight should create a 
drop.. when the session reestablishes it could resize.  

Dustin jurman
 

-----Original Message-----
From: Dobbins, Roland [mailto:rdobbins () arbor net] 
Sent: Thursday, April 17, 2014 8:51 AM
To: NANOG
Subject: Re: Requirements for IPv6 Firewalls


On Apr 17, 2014, at 7:35 PM, Dustin Jurman <dustin () rseng net> wrote:

- packets per second
      - Firewall Level
      - Hosts level


This is getting into QoS territory . . .

- packet size information


Concur - packet-length.

      - Average for FW of all Network hosts


This isn't very operationally useful, IMHO.

      - Negotiated Between Hosts


I'm not sure what this means?

But classifiers for everything in the IP, TCP, UDP, and ICMP headers, along with packet length, makes a lot of sense.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton

Current thread:

Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
- RE: Requirements for IPv6 Firewalls Dustin Jurman (Apr 17)
  - Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
    - Re: Requirements for IPv6 Firewalls David Newman (Apr 17)
    - Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
    - Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
    - RE: Requirements for IPv6 Firewalls Dustin Jurman (Apr 17)
    - Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
  - Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
    - Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 17)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
    - Re: Requirements for IPv6 Firewalls Valdis . Kletnieks (Apr 17)
    - Re: Requirements for IPv6 Firewalls Timothy Morizot (Apr 17)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
    - Re: Requirements for IPv6 Firewalls Seth Mos (Apr 17)

(Thread continues...)